Using Local signing - API - Transaction (text) signing using Telia

Overview

The api contains one function, sign text with Telia certificate.

Sign:

1. Send text file to be signed to the api. Api will return a id value

2. Create signed jwt token with payload attributes id=<value performed from previous step>, success_url=<URL where PhenixID Signing Service should redirect the browser after successful signing>, failure_url=<URL where PhenixID Signing Service should redirect the browser after unsuccessful signing>, cancel_url=<URL where PhenixID Signing Service should redirect the browser after the user cancelled the signing>

3. Redirect user browser to URL?Authorization=<jwt_token>

4. User perform sign against PhenixID Signing Services with Telia certificate

5. After successful sign and redirect back, perform new call to API to fetch signed text file.

6. Store the signed text file.

Prerequisites

- PhenixID Signing Service configured for Telia Signing using the Configuration documentation Local signing - API - Transaction (text) signing using Telia.

- Username and password for API authentication

- Base URL for PhenixID Signing Services.

- Telia signing requires additional end user client software and browser settings. Read more about it at https://www.telia.se/privat/bredband/tjanster/produkt/e-legitimation

Fetch data to be signed

Fetch the data (text) to be signed. Put the data into a text file:

REPLACE_THIS_WITH_YOUR_TEXT_TO_BE_SIGNED

 

Example:

I hereby sign that the patient is Donald Duck.

Send unsigned text - api call

Request

Method: HTTP POST

Endpoint: /files/integration_dev_telia (may vary depending on backend configuration)

Headers:

Name Value
 Mandatory Comment
Authorization <basic_auth_value> No If applicable, username and password must be given to you by PhenixID Signing Service admin.

Body:

The text content is put in the body.

Example request

 

POST /files/integration_dev_telia HTTP/1.1
Host: demo.phenixid.net
Authorization: Basic c2lnbl9hcGk6c2VjcmV0

I hereby sign that the patient is Donald Duck.

Response

Example response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 167
{
    "id": "ae4466d8-e017-4e5c-9476-2c2635ae1ef2",
    "size": 168,
    "created": "2018-12-29T20:05:51.366Z"
}

Create JWT token

Create keypair and certificate to be able to sign jwt token

Create a keypair and certificate for signing jwt token. The certificate (public crt) must be distributed to PhenixID Server administrator.

Populate jwt payload

Populate the jwt with these properties:

Key Value
jti Unique ID of token. Generate random unique key.
iat Issued at value. Now in epoch time.
nbf Not before value. Now in epoch time.
exp Expires value. Now + 10 minutes in epoch time.
id Id value. The id returned from the first api call.
success_url The url where PhenixID Signing Service should redirect the browser after successful sign.
This url must be constructed using the following pattern:
https://<phenixid_signing_server>/<uri>/authenticate/logout/?nextTarget=<put_your_return_success_url_here>
failure_url The url where PhenixID Signing Service should redirect the browser after unsuccessful sign.
This url must be constructed using the following pattern:
https://<phenixid_signing_server>/<uri>/authenticate/logout/?nextTarget=<put_your_return_failure_url_here>
cancel_url The url where PhenixID Signing Service should redirect the browser after the end user cancelled the signing.
This url must be constructed using the following pattern:
https://<phenixid_signing_server>/<uri>/authenticate/logout/?nextTarget=<put_your_return_cancel_url_here>

Example:

{
  "jti": "xxxxyyyyyyyzzzzzzaaaaa",
  "iat": 1521815800,
  "exp": 1521815830,
  "nbf": 1521815800,
  "id": "ae4466d8-e017-4e5c-9476-2c2635ae1ef2",
  "success_url": "https://demo.phenixid.net/telia/authenticate/logout?nextTarget=https://example.org/sign_success?state=myState",
  "failure_url": "https://demo.phenixid.net/telia/authenticate/logout?nextTarget=https://example.org/sign_fail?state=myState",
  "cancel_url": "https://demo.phenixid.net/telia/authenticate/logout?nextTarget=https://example.org/sign_cancel?state=myState",  
}

Sign jwt token

Sign the payload with the certificate created in previous step using this algorithm.

{

 "alg": "RS256",

 "typ": "JWT"

}

 

JWT token value

JWT token value should now look something like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk0YTg1MjMxLWZhYWMtNGQxZC1iZTk1LWY5ZGY2ZjA3ODI5YSIsImp0aSI6IjEyMzEyMzEyMzEyMzQ1NjQ1NiIsImlzcyI6IkV4YW1wbGUgb3JnIiwiaWF0IjoxNTIxODE1ODAwLCJleHAiOjE1MjE4MTU4MzAsImF1ZCI6ImludGVncmF0aW9uLnBoZW5peGlkLnNlIiwic3ViIjoibXl1c2VyIiwiZmFpbFVSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9mYWlsdXJlIiwic3VjY2Vzc1VSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9zdWNjZXNzP2lkPTY5N2QxNmM5LTI4MzYtNGY5Ni1iYTM4LTJiY2I1NzdmOTg0MiJ9.H9bqf0cEpOWvm8zWNcEflIwb6zCHx_bcxXfuQP71zOk

Redirect user agent to PhenixID Signing Services

Now, redirect the user agent to the url: https://<phenixid_signing_service>/telia/?Authorization=<token_value>

Example: https://demo.phenixid.net/telia/?Authorization=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk0YTg1MjMxLWZhYWMtNGQxZC1iZTk1LWY5ZGY2ZjA3ODI5YSIsImp0aSI6IjEyMzEyMzEyMzEyMzQ1NjQ1NiIsImlzcyI6IkV4YW1wbGUgb3JnIiwiaWF0IjoxNTIxODE1ODAwLCJleHAiOjE1MjE4MTU4MzAsImF1ZCI6ImludGVncmF0aW9uLnBoZW5peGlkLnNlIiwic3ViIjoibXl1c2VyIiwiZmFpbFVSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9mYWlsdXJlIiwic3VjY2Vzc1VSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9zdWNjZXNzP2lkPTY5N2QxNmM5LTI4MzYtNGY5Ni1iYTM4LTJiY2I1NzdmOTg0MiJ9.H9bqf0cEpOWvm8zWNcEflIwb6zCHx_bcxXfuQP71zOk

Fetch signature result - the signed data

When PhenixID Signing Services redirected the user agent back to the success URL, perform this callout to the API to fetch the signed data.

 

Fetch signed file - api call

Method: HTTP GET

Endpoint: /files/integration_dev_telia/<id_fetched_in_first_api_call> (may vary depending on backend configuration

Headers:

Name Value Mandatory Comment
Authorization <basic_auth_value> No If applicable, username and password must be given to you by PhenixID Signing Service admin.

Example request 

GET /files/integration_dev_telia/a38cbd6e-e017-4e5c-9476-2c2635ae1ef2 HTTP/1.1
Host: demo.phenixid.net
Authorization: Basic c2lnbl9hcGk6c2VjcmV0
Cache-Control: no-cache

Response

Response

The response contains the signed data, base 64 encoded.

Example:

MIIJLwYJKoZIhvcNAQcCoIIJIDCCCRwCAQExDzANBglghkgBZQMEAgEFADAfBgkqhkiG9w0BBwGgEgQQdGhpcyBpcyB0aGUgdGV4dKCCBqUwggahMIIFiaADAgECAhMzAACQQsgo02WgvHLrAAAAAJBCMA0GCSqGSIb3DQEBCwUAME4xFDASBgoJkiaJk/IsZAEZFgRkZW1vMRgwFgYKCZImiZPyLGQBGRYIU0hPV1JPT00xHDAaBgNVBAMTE1Nob3dyb29tIFJvb3QgQ0EgdjEwHhcNMTcxMDMwMDgwNjE5WhcNMTkxMDMxMDgwNjE2WjB6MRUwEwYDVQQFEwwxOTQ1MDExMDQ5MzExDzANBgNVBAQMBkJqw7ZyazEPMA0GA1UEKhMGQW5kZXJzMRYwFAYDVQQDDA1BbmRlcnMgQmrDtnJrMScwJQYJKoZIhvcNAQkBFhhhbmRlcnMuYmpvcmtAcGhlbml4aWQuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE71YMGIqnp1Ek0NVRfvdLpEj4ck0nje1CPjrfsi4I/WfXsVaeQHOdY5f2WzZKCkrBpExj0ky3gCa3enXMDj6ps6OeHHzkBE2bDwmnH3qeH4EwBA58ZSX9GripMHHJnGho1ZjAABM5O/lDvurJv8sfkrl4q/RqrVXPq04aqZwKos+F8FTesmxWEyUYDolKiAATVk+iEHOnwKhOpLZ/f/8kmQNaDzq7wbbiZGugLOR+fw/4mrkm9b2nrwRomOvcAY63aOO7vDa7fDvo7xqx0lQrCMLcSj1ays568vjM1+N4gxZUhk/BHAY0hljPOeCP1BN+lpBf+3p0bZFN2jdWTzqNAgMBAAGjggNKMIIDRjAdBgNVHQ4EFgQUwliRihIPNFslrSe/8oVP+yGjv+owHwYDVR0jBBgwFoAUo8iNnhmuombitIFn0cU6t2TvTPIwggEhBgNVHR8EggEYMIIBFDCCARCgggEMoIIBCIaBxmxkYXA6Ly8vQ049U2hvd3Jvb20lMjBSb290JTIwQ0ElMjB2MSxDTj1WU1ItQ0FTUlYwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1TSE9XUk9PTSxEQz1kZW1vP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL3JlcG9zaXRvcnkuc2hvd3Jvb20uZGVtby9TaG93cm9vbSUyMFJvb3QlMjBDQSUyMHYxLmNybDCCATQGCCsGAQUFBwEBBIIBJjCCASIwgboGCCsGAQUFBzAChoGtbGRhcDovLy9DTj1TaG93cm9vbSUyMFJvb3QlMjBDQSUyMHYxLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPVNIT1dST09NLERDPWRlbW8/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwYwYIKwYBBQUHMAKGV2h0dHA6Ly9yZXBvc2l0b3J5LnNob3dyb29tLmRlbW8vVlNSLUNBU1JWMDEuU0hPV1JPT00uZGVtb19TaG93cm9vbSUyMFJvb3QlMjBDQSUyMHYxLmNydDAOBgNVHQ8BAf8EBAMCBkAwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIzu1JgfGmVoalixCD2Zs/gtnqcRSHh5ZJgeKEQwIBZAIBBDAVBgNVHSUEDjAMBgorBgEEAYI3CgMMMB0GCSsGAQQBgjcVCgQQMA4wDAYKKwYBBAGCNwoDDDAjBgNVHREEHDAagRhhbmRlcnMuYmpvcmtAcGhlbml4aWQuc2UwDQYJKoZIhvcNAQELBQADggEBAD3yP4tYMKgP2Q3HdPeec9nV3TQzdJ4SdYcAYE/7znc2/QBpmiMYBZAVUp7G0aQkxaBc6p9hVzBnee9mlMyhe0VlRmsa1YsS/odbaEKyU4Hyc0ibIL91Xf3dAxZqCez0+dbVyjFxRviY3D95+Mwr2MAY8orYShO32grLZ0B6zRcNAZdACADkhZSxzJ3qYhqv4ibBiDRDMvrAJdkfjt8g3sbWcJ9aABZSXxP9HMt0nUZ7qPYEkWMpb0I6dg//ScHLpODlSZLLTbg6h8go+LDLTJQF23idt98qiMRu69kxRon4VgkEb5xKaKlHpuV/+o/GduUNep0e1ejDkOO6eDzckaoxggI6MIICNgIBATBlME4xFDASBgoJkiaJk/IsZAEZFgRkZW1vMRgwFgYKCZImiZPyLGQBGRYIU0hPV1JPT00xHDAaBgNVBAMTE1Nob3dyb29tIFJvb3QgQ0EgdjECEzMAAJBCyCjTZaC8cusAAAAAkEIwDQYJYIZIAWUDBAIBBQCggacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMDMwMTIzOTMyWjAvBgkqhkiG9w0BCQQxIgQg463tg/4lGkYJ9mEOm8kJOxUew5rVWQvkb0DGsygsZbwwPAYHKoVwgTMLATExMC8THWh0dHBzOi8vZWZvcy5sYWIuc2VjbWFrZXIuY29tEw43OS4xMzYuMTEyLjEzOTANBgkqhkiG9w0BAQEFAASCAQAS9WkiJIKvT9OE7uCsgKZHx7UPbTIA5+P13F0Eu2KtTrQRIzi2ktMXhy+C/YbhAafSNNS2TNYkVL6aGhszLX5dG/DFwuy70OeBAHNDe09+Gf7AAgTwW093qjRvwLw082KpEBo5NULYUa0y42uHkI80cgR4SdvrnnMX6CTbnZLpTllIEoZ/v3eqPXpCiwumY499HNDJoFPoj/PxG6didvIKZfepwLZFE35q5yG+o6x78VaNaO7UT8qP99PpGVXIyLLhg3BVWZ5Fiz21xl6IlOTZEtQ1xqth+O6eyRA/EQkE6yBjzE/KQ9q0xxMad4fiE7sB7Ajz8+BDO2gmVP38dnMO